detection.wiki

Microsoft-Windows-Security-Auditing › Event 4662

Event ID 4662 — An operation was performed on an object.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
DS Access → Directory Service Access
Collection Priority
Recommended (mdecrevoisier, others)
Opcode
Info

Description

An operation was performed on an object.

Message #

An operation was performed on an object.

Subject :
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %9

Operation:
	Operation Type: %8
	Accesses: %10
	Access Mask: %11
	Properties: %12

Additional Information:
	Parameter 1: %13
	Parameter 2: %14

Fields #

NameDescription
Security_ID[Subject] Security ID.
Account_Name[Subject] Account Name.
Account_Domain[Subject] Account Domain.
Logon_ID[Subject] Logon ID.
Object_Server[Object] Object Server.
Object_Type[Object] Object Type.
Object_Name[Object] Object Name.
Operation_Type[Operation] Operation Type.
Known values
%%1904
New registry value created
%%1905
Existing registry value modified
%%1906
Registry value deleted
%%14674
Value Added
%%14675
Value Deleted
%%14680
Value Added With Expiration Time
%%14681
Value Deleted With Expiration Time
%%14688
Value Auto Deleted With Expiration Time
Handle_ID[Object] Handle ID.
Accesses[Operation] Accesses.
Access_Mask[Operation] Access Mask.
Bitmask flags
0x00000001
DS_CREATE_CHILD
0x00000002
DS_DELETE_CHILD
0x00000004
DS_LIST_CONTENTS
0x00000008
DS_WRITE_SELF
0x00000010
DS_READ_PROP
0x00000020
DS_WRITE_PROP
0x00000040
DS_DELETE_TREE
0x00000080
DS_LIST_OBJECT
0x00000100
DS_CONTROL_ACCESS
0x00010000
DELETE
0x00020000
READ_CONTROL
0x00040000
WRITE_DAC
0x00080000
WRITE_OWNER
Properties UnicodeString[Operation] Properties.
Parameter_1[Additional Information] Parameter 1.
Parameter_2[Additional Information] Parameter 2.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4662,
    "version": 0,
    "level": 0,
    "task": 14080,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2019-03-25T10:05:30.695604Z",
    "event_record_id": 198238041,
    "correlation": {},
    "execution": {
      "process_id": 444,
      "thread_id": 4200
    },
    "channel": "Security",
    "computer": "DC1.insecurebank.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-18",
    "SubjectUserName": "DC1$",
    "SubjectDomainName": "insecurebank",
    "SubjectLogonId": "0xb3ac2",
    "ObjectServer": "DS",
    "ObjectType": "%{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
    "ObjectName": "%{c6faf700-bfe4-452a-a766-424f84c29583}",
    "OperationType": "Object Access",
    "HandleId": "0x0",
    "AccessList": "%%7688\r\n\t\t\t\t",
    "AccessMask": "0x100",
    "Properties": "%%7688\r\n\t\t{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}\r\n\t{19195a5b-6da0-11d0-afd3-00c04fd930c9}\r\n",
    "AdditionalInfo": "-",
    "AdditionalInfo2": ""
  }
}

Detection Patterns #

Community Notes #

Operation on AD object, may indicate enum of domain trusts, OUs, SPNs, ACLs. Also logged when an attacker uses mimikatz or similar to extract the DPAPI Domain Backup Key.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Show 3 more (6 total)

Elastic # view in reference

  • FirstTime Seen Account Performing DCSync source high: This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
  • Potential Credential Access via DCSync source medium: This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.
  • Access to a Sensitive LDAP Attribute source medium: Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.
Show 1 more (4 total)
  • Suspicious Access to LDAP Attributes source low: Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.

Splunk # view in reference

  • Windows AD Abnormal Object Access Activity source: The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
  • Windows AD Privileged Object Access Activity source: The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This activity is significant because such objects should rarely be accessed by normal users or processes, and unauthorized access attempts may indicate attacker enumeration or lateral movement within the domain. If confirmed malicious, this activity could allow attackers to escalate privileges, persist in the environment, or gain control over critical domain resources.
  • Windows AD Replication Request Initiated by User Account source: The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.↳ also matches:Event ID 4624: An account was successfully logged on.
Show 1 more (4 total)
  • Windows AD Replication Request Initiated from Unsanctioned Location source: The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.↳ also matches:Event ID 4624: An account was successfully logged on.

Kusto Query Language # view in reference

  • ADFS DKM Master Key Export source medium: 'Identifies an export of the ADFS DKM Master Key from Active Directory. References: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/, https://cloud.google.com/blog/topics/threat-intelligence/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor To understand further the details behind this detection, please review the details in the original PR and subequent PR update to this: https://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469 https://github.com/Azure/Azure-Sentinel/pull/1512#issue-543053339 '

References #